Academies Plus – April 2026

By Magda Meier, Senior Manager, Moore Kingston Smith

The updated Academies Accounts Direction (AAD) was published on 25 March 2026 and applies to accounting periods ending on 31 August 2026. As in previous years, revised model accounts and an updated external auditors’ guide have also been issued.

Overall, the amendments are primarily narrative in nature, with a small number of more substantive changes, particularly in areas such as remuneration disclosures. The update also introduces a new Annex B, which outlines the changes that will be brought in under the new SORP 2026.

AAD updates: changes to the Trustees’ report

• The requirement under the section Structure, governance and management to disclose trade union facility time has been removed.
• The Streamlined Energy and Carbon Reporting (SECR) section has been updated to set out the thresholds for organisations within scope. This reflects the fact that the recent increases to the UK company size thresholds (applying from 6 April 2025) no longer align with SECR – who continues to use the original large company thresholds.

AAD updates: explanatory changes

• The definition of regularity has been updated to incorporate the following elements:
  • Sufficient legal basis;
  • Parliamentary authority;
  • Compatibility with Treasury authorisation; and
  • Alignment with spending budgets and the wider legal framework.
• The definition of propriety now expressly includes the requirement to maintain high standards of public conduct and adhere to relevant parliamentary control procedures and expectations.
• Additional clarification has been provided regarding capital grants in church academy trusts, referencing FRS 102 asset recognition criteria and the assessment of control over improved assets.

Updates to the model accounts

• Clarification has been added to governance statement for trusts with annual income above £50 million to include an in-house internal auditor. The previous version didn’t explicitly refer to the in-house services.
• It has been clarified that additional categories of special payments and significant transactions must be disclosed, including compensation payments, ex-gratia payments, debt write-offs, guarantees, letters of comfort, indemnities, acquisition or disposal of freehold land and buildings, disposal of heritage assets, leases of land and buildings, and gifts made by the trust.
• Staff restructuring costs must now include all payments in lieu of notice, whether contractual or non‑contractual.
• The £60,000 banded salary disclosure must include narrative explanations for:
  • part‑time employees whose full‑time equivalent remuneration would exceed £60,000 (with identification of the appropriate £10,000 band), and
  • employees who worked only part of the year but whose full‑year equivalent pay and benefits would exceed £60,000.
• The Key Management Personnel remuneration note must now separately disclose accrued remuneration. Separate disclosure is required for accrued remuneration of accounting officer. The disclosure must also include any off‑payroll arrangements (e.g., an AO or CFO approved by DfE) and consultancy income paid to former key management personnel.
• Related party disclosures must now include salary and benefits paid to the principal/chief executive when they are a trustee.

Framework and guide for external auditors: changes

• The guidance on limitation of scope has been expanded to include situations where management representations requested by auditors have not been provided on a timely basis.
• The Delegated authorities subsection on special severance payments has been simplified to eliminate repeated content already covered in the Academies Trust Handbook.
• A new subsection has been added to Annex C, requiring auditors to:
  • confirm that all key management personnel are on the trust’s payroll.
  • verify DfE approval for any off‑payroll arrangements, and
  • check approval for accrued but unpaid remuneration.

The guidance can be found on the GOV.UK website.

By William Hyde, Assistant Manager, Digital Transformation, Moore Kingston Smith

You already have AI, even if you haven’t signed up for it

Like many organisations, academies and MATs employ AI without ever having signed up for it or gone through the required vendor checks which other software would have carried out. This is because people will in all likelihood be using AI independently of any deployed technology, whether teachers are using it for lesson planning, support staff for drafting emails, or students for help with homework. As a result, leaving AI in this experimental grey area is becoming a strategic and control risk.

From ad-hoc tools to a trust-wide plan

AI use in many organisations can often be haphazard with limited central planning or overarching directives. Teams will use it for a variety of purposes and at very different levels throughout the organisation. The most prominent tool many people will be familiar with is ChatGPT, but other mainstream Large Language Models (LLMs) include Claude and Gemini. Many staff will likely have experimented with these and will have them included in their workflows in some manner.

There is of course an expectation that trusts should understand and plan their digital and technology position and avoid leaving such management to chance. In the same way that a trust is likely to have a single system for emails (e.g. Outlook), which will enable consistency and continuity, there is every reason to promote the integration of select AI tools for firmwide usage.

Clearly, going from nothing to several selected and sourced tools is not a straightforward process – so we highly recommend the implementation of a structured, high-level plan known as an AI roadmap. The first thing this should look to establish early is where AI is allowed/prohibited with specifics on uploading sensitive data to AI where this will cause it to leave any secure ecosystems. On the other side, it should look to have some detail on what current AI tools/use cases may be allowed or encouraged. Finally, it should have details on how AI projects can be proposed, how they would be risk-assessed and how the review process would look.

Training and awareness: bringing your people with you

A detailed roadmap is a great first step to take. However, it is all too easy for this roadmap to be something signed off in a committee meeting, emailed out to all staff and then forgotten about afterwards. This is why the staff training and understanding piece is of vital importance, just as it would be for any new or replacement piece of software.

Training should be woven into your roadmap as you advance through it. The likely highest priority is implementing some baseline AI awareness training for all staff. This should assume no innate knowledge of AI and should begin at the basics, including what AI is, simple dos and don’ts (especially around personal data), and the stance you are taking on AI usage. This should then progress to role-specific training on the available tools, including how to use them and how they can specifically help staff within their roles.

This training should take several formats. The initial baseline training can often be best in person with a specialist, be that internal or external. This allows staff to ask any specific questions they may have, as well as having the educator able to ratchet the content up or down depending on the level of knowledge shown. This should then be augmented by tool-specific training when new AI systems are made available, as well as short refreshers on the data security and governance on an annual basis. As well as this, identifying AI Champions within your organisation can be of great benefit. Some staff members likely already use the tools. Having them help to teach others can send a more positive message, as it comes from colleagues who understand the challenges.

Turning the experimentation into an opportunity

AI will continue to remain complex and very fast moving. No one can predict exactly what new tools will be made available in a year and how this will impact the workplace. But trusts which invest now in their strategy, training and governance will be better placed to both protect their pupils but also take advantage of these upcoming changes.

By Richard Jackson, Data Protection Officer, Moore Kingston Smith

The UK education sector is facing an unprecedented rise in cyber threats, driven not only by external attackers but increasingly by insiders. Recent analysis published by the Information Commissioner’s Office (ICO) reveals a striking trend: students are now responsible for most insider cybersecurity incidents in schools, with many breaches involving sophisticated tactics, stolen or guessed credentials, and misuse of staff accounts. Combined with weaknesses in staff data-handling practices and growing pressures, the sector is now navigating one of the most challenging cyber landscapes it has ever seen.

The ICO’s review of school data breaches highlights a significant shift in cyber risks.

Traditionally, schools focus on external threats such as ransomware or phishing. However, new evidence shows that internal misuse (particularly by pupils) is rapidly increasing.

Key findings from the report include:

• 57% of insider breaches in schools were caused by students.
• 30% of all insider incidents involved stolen or guessed login details, and students carried out 97% of those cases.
• Some incidents involved children as young as seven, highlighting how early digital literacy can enable inappropriate access.
• Motivation ranged from curiosity and rivalry to dares, boredom, and the desire to test hacking skills.

These findings indicate that insider threat is no longer incidental; it is systematic, growing, and severely underestimated.

Serious real-world cases underline the risk

In one notable incident, three Year 11 students used downloadable hacking tools to break into their school’s student records database, accessing the personal data of more than 1,400 pupils. Two of the students were active members of an online hacking forum, where they had learned how to bypass authentication controls.

In another case, a college student used stolen staff credentials to access, alter, or delete personal data relating to more than 9,000 students, staff, and applicants. The accessed data included safeguarding logs, home addresses, and health information – highlighting the serious risks that weak access controls can pose to sensitive personal information.

These examples illustrate how students can exploit vulnerabilities when internal systems lack robust security measures.

Staff behaviours still contributing to avoidable breaches

While students account for the largest share of insider cyber incidents, staff practices remain a major contributor to data protection failures.

According to ICO analysis, 23% of insider incidents are directly linked to poor staff data-handling behaviours.

Common issues include:

• accessing information without a legitimate purpose;
• leaving unlocked devices unattended;
• allowing pupils to use staff laptops or tablets;
• sending school data to personal email accounts or devices.

A further 17% of incidents stem from incorrect access rights, often caused by misconfigured systems such as SharePoint or cloud platform permissions.

Password hygiene also remains poor across many schools. The ICO continue to encounter passwords written on sticky notes, predictable formats, and widely shared login details, creating easy opportunities for internal misuse.

Together, these factors paint a picture of a sector that continues to struggle with the basics of data governance, despite handling some of the most sensitive information about children.

A growing culture of cyber risk among young people

One of the ICO’s most serious concerns is the wider culture of online experimentation among children. According to data from the National Crime Agency, referenced by the ICO, one in five children aged 10–16 has engaged in some form of illegal online activity.

Many student perpetrators investigated by schools were already:

• active on hacking forums;
• using tools designed to break passwords or exploit systems; and
• experimenting on their own school networks.

This blurring of curiosity and criminality shows why early digital safety education is becoming critical. When internal security controls are weak, schools inadvertently become testing grounds for young people exploring illegal cyber activity.

The ICO warns that this trend has long-term implications: a preventable school breach today may represent the first step toward more serious criminal behaviour in the future.

Rising external and third- party cybersecurity risks

While insider threats dominate the ICO’s findings, external cyber attacks and third-party vulnerabilities continue to impact UK education significantly.

New legislative and compliance pressures: 2024–2026

Schools are simultaneously navigating new legal obligations. The Data (Use and Access) Act 2025 introduces new expectations around:

• Subject Access Requests (including ‘stopping the clock’).
• reasonable and proportionate searches;
• automated decision-making transparency (especially relevant with increasing AI and EdTech use); and
• strengthened protections for children’s data.

Additionally, updated Department for Education guidance reinforces requirements relating to:

• AI and generative tools;
• new retention schedules;
• updated SAR procedures; and
• minimum expectations for information governance in schools.

These changes raise the regulatory bar significantly for school leaders and Data Protection Officers.

The following are examples of recent high-level security breaches

West Midlands based MAT (January 2026)

A major cyber incident forced the school to close for days while all IT systems (from phones to management information systems) were disabled. The school followed regulatory requirements by assessing the risk and reporting the suspected personal data breach to the ICO within 72 hours.

Swindon-Oxford based MAT (October 2025)

A third-party contractor breach exposed data belonging to around 3,000 school staff and volunteers, including high-risk identifiers. Nationally, this same supplier incident affected over 350,000 individuals across 1,500 schools, underscoring major vulnerabilities in supply chain security.

National SCR supplier attack (August 2025)

A cyber attack targeting a widely used Single Central Record provider compromised sensitive safeguarding and staffing information across multiple large trusts.

Email compromise through phishing (2025)

Several maintained schools suffered mailbox breaches exposing safeguarding notes, SEN data, and parent communications – highlighting phishing as the most common attack vector in education.

National early years provider breach (Autumn 2025)

Criminals breached a major early year’s provider used by maintained schools, stealing children’s records, photographs, home addresses and contextual safeguarding notes.

These incidents demonstrate the critical need for stronger supply-chain risk management, secure communications systems and robust incident response processes.

What schools need to do now

intensifying, the ICO’s message is clear: schools must strengthen their internal security culture.

Priority actions include:

• Improve access controls and enforce strong password policies;
• Strengthening monitoring, logging, and audit trails;
• Deliver regular staff training on data protection and device security;
• Implement strict joiner/mover/leaver processes;
• Review and update SAR procedures in line with 2025 legislation;
• Assess all AI tools through comprehensive DPIAs;
• Conduct rigorous supplier due diligence, including security assurances;
• Minimise the volume of personal data held by third parties; and
• Provide early digital safety education to deter harmful experimentation among pupils.

Conclusion

The education sector stands at a crossroads.

As the ICO’s findings show, students are now the biggest internal cyber threat in UK schools, while poor staff practices, weak credentials, and insecure third-party systems continue to create unnecessary risks.

Combined with new legislative pressures and increasingly sophisticated cybercrime, schools must prioritise data protection and cybersecurity at the highest strategic level. Strengthening internal controls is not just a compliance requirement, it is essential to protecting children’s safety, maintaining trust, and preventing pathways into future criminal behaviour.

Download the newsletter